/usr/sbin/shib-keygen is in shibboleth-sp2-utils 2.6.0+dfsg1-4+deb9u1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | #! /bin/sh
# Defaults added for Debian. They can still be overridden by command-line
# options.
OUT=/etc/shibboleth
USER=_shibd
GROUP=_shibd
while getopts n:h:u:g:o:e:y:bf c
do
case $c in
u) USER=$OPTARG;;
g) GROUP=$OPTARG;;
o) OUT=$OPTARG;;
b) BATCH=1;;
f) FORCE=1;;
h) FQDN=$OPTARG;;
e) ENTITYID=$OPTARG;;
y) YEARS=$OPTARG;;
n) PREFIX=$OPTARG;;
\?) echo "keygen [-o output directory (default .)] [-u username to own keypair] [-g owning groupname] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert] [-n filename prefix (default 'sp')]"
exit 1;;
esac
done
if [ -z "$OUT" ] ; then
OUT=.
fi
if [ -z "$PREFIX" ]; then
PREFIX="sp"
fi
if [ -n "$FORCE" ] ; then
rm $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
if [ -s $OUT/${PREFIX}-key.pem -o -s $OUT/${PREFIX}-cert.pem ] ; then
if [ -z "$BATCH" ] ; then
echo The files $OUT/${PREFIX}-key.pem and/or $OUT/${PREFIX}-cert.pem already exist!
echo Use -f option to force recreation of keypair.
exit 2
fi
exit 0
fi
# --fqdn flag added for Debian to generate better names for certificates.
if [ -z "$FQDN" ] ; then
FQDN=`hostname --fqdn`
fi
if [ -z "$YEARS" ] ; then
YEARS=10
fi
DAYS=`expr $YEARS \* 365`
if [ -z "$ENTITYID" ] ; then
ALTNAME=DNS:$FQDN
else
ALTNAME=DNS:$FQDN,URI:$ENTITYID
fi
SSLCNF=$OUT/${PREFIX}-cert.cnf
cat >$SSLCNF <<EOF
# OpenSSL configuration file for creating keypair
[req]
prompt=no
default_bits=3072
encrypt_key=no
default_md=sha256
distinguished_name=dn
# PrintableStrings only
string_mask=MASK:0002
x509_extensions=ext
[dn]
CN=$FQDN
[ext]
subjectAltName=$ALTNAME
subjectKeyIdentifier=hash
EOF
touch $OUT/${PREFIX}-key.pem
chmod 600 $OUT/${PREFIX}-key.pem
if [ -z "$BATCH" ] ; then
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem
else
openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/${PREFIX}-key.pem -out $OUT/${PREFIX}-cert.pem 2> /dev/null
fi
rm $SSLCNF
if [ -s $OUT/${PREFIX}-key.pem -a -n "$USER" ] ; then
chown $USER $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
if [ -s $OUT/${PREFIX}key.pem -a -n "$GROUP" ] ; then
chgrp $GROUP $OUT/${PREFIX}-key.pem $OUT/${PREFIX}-cert.pem
fi
|